Regulatory Compliance in the Cloud

Choosing to upload your data to the cloud is, for the most part, a moot point; the advantages of mobility, scalability and convenience have proven that cloud platforms are a necessary and vital tool for the advancement of modern-day industry. However, some issues are still a challenge for the online world, including that of regulatory compliance and protecting sensitive data.

Many times, businesses focus so much attention on the technological aspect of incorporating a cloud platform into their business management strategy that regulatory compliance gets set somewhere in the background. After all, setting up a cloud, synchronizing your data and then training your employees on how to use this database is a monumental task.

Add to the mix the complexities of the law and your once brilliant idea of updating your company quickly becomes overwhelming and expensive. Nonetheless, those companies, clients and employees who have sensitive data stored in the cloud are the ones who will benefit from the safeguards of the law.

Regulatory Compliance In Action

Regulatory compliance is when a company obeys the laws, regulations, guidelines and specifications that pertain to its business. Here are a few practical examples from TechTarget:

Sarbanes-Oxley Act (SOX) of 2002: SOX was enacted in response to the high-profile Enron and WorldCom financial scandals. It’s meant to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. Among other provisions, the law sets rules on storing and retaining business records in IT systems.

Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA Title II includes an administrative simplification section that mandates standardization of electronic health records systems and includes security mechanisms designed to protect data privacy and patient confidentiality.

Payment Card Industry Data Security Standard (PCI DSS): PCI DSS is a set of policies and procedures created in 2004 by Visa, MasterCard, Discover, and American Express to ensure the security of credit, debit, and cash card transactions.

Federal Information Security Management Act (FISMA): Signed into law in 2002, FISMA requires federal agencies to conduct annual reviews of information security programs in order to keep risks to data at or below specified acceptable levels.

In a global economy, it is also necessary to be aware of the laws that are enforced not just pertaining to your industry but also in the countries where your customers live. Here’s a relevant story to illustrate that point.

Peter Humphrey operated ChinaWhys Co. Ltd., a private investigation firm that was hired by UK pharmaceutical company GlaxoSmithKline to address bribery allegations. Humphrey sold Chinese citizens’ personal information. His actions violated Article 253 of China’s Amendments to Criminal Law (VII), which bans “stealing or illegally obtaining, by any means, personal information”. Chinese law also states that employers must keep the personal data of all employees confidential and prohibits the disclosure of personal data of any employee. Humphrey could have avoided huge legal ramifications if he had done his homework researching Chinese privacy laws first.

Benefits of Shared Responsibility

Just as a business owner may be under scrutiny if a patron gets injured on his or her property, liability is in question if sensitive customer data gets stolen from your database. A breach of security to your cloud is always a fear for anyone who stores data online, especially since it seems like there is a monthly story on the news about a big box store or even the U.S. government being hacked.

The security of a cloud platform is twofold: 1) cloud providers such as AWS clearly state:

“Security measures that the cloud service provider (AWS) implements and operates – ‘security of the cloud.’ Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS services – ‘security in the cloud.’”

What this implies is that AWS assumes the responsibility of ensuring that the storage, database, networking, infrastructure and availability are all working seamlessly and are secure from their end. On the other side, the customer is responsible for the data that is uploaded, applications, identity and access management, operating systems, encryption, authentication, and network traffic protection.

So, how does this pertain to regulatory compliance? Depending on the industry you are in and the sensitivity of your data, you may wish to incorporate a private cloud for additional security that may be required by law or research the tools a provider has in place to integrate compliance audits.

“It is critical that an enterprise choose cloud vendors that are able to meet or exceed their security and compliance standards – mapping and assisting in audit and compliance activities should be delineated in contracts and service level agreements before any workload migrations start,“ explains Hewlett Packard cloud security expert Chris Steffen.

“With the variety of cloud solutions in the marketplace, a solution exists that will mesh with a company’s compliance concerns and allow them to maintain the progress in security and compliance maturity they had achieved before migrating to the cloud,” said Steffen.

How to Ensure Compliance

The bottom line of compliance is security. In a survey conducted by technology research company Clutch, they found that, “migrating to the Cloud encourages companies to engage in better security practices overall… The additional security measure enterprises implement the most is data encryption (60%), followed by identity access policies (52%) and regular audits (48%). To implement additional cloud security, more than half of enterprises (59%) spend between $10,000 and $500,000.”

If this task seems like a project that you aren’t prepared to tackle, you may want to consider the newer roles of corporate, chief, or regulatory compliance officers for hire whose sole focus is to monitor adherence to the law. If this seems beyond your budget, there are also consultants available that can help you to identify and address the laws that apply to your company.

The bottom line for regulatory compliance is summed up concisely by Duane Tharp of Cloud Elements:

“The first reason is regulatory. Businesses have to be compliant to a regulatory regime, whether state, federal, or internal. The other reason is fear. The nominal additional investment in security potentially can prevent a bad situation from arising in the future.”

To learn more about staying secure in the cloud, find out what 18 experts advise for effective and secure cloud migration, here.

About the Author:Alex Miller is a Senior Analyst at Clutch where he heads the cloud research segments. Clutch is a Washington, DC-based B2B ratings and reviews website that highlights leading software and professional services firms. Alex graduated from the George Washington University in DC. You can follow him on Twitter and LinkedIn.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.